Cyber security trends for 2018

Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.

Here is a list of relevant cyber security terms for 2018s:

AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.

Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.

Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.

Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.

Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.

Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.

Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.

Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.

Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.

Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.

Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?

GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.

Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.

HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.

HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.

ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.

Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.

IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).

Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.

Integrate: Many gaps in security are due to an inability for disparate technologies to share information. Integration is key to making sure you get the most from your technology investments.

IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.

Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.

Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.

Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.

Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.

PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.

Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.

Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.

Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.

Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.

Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?

Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.

Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.

Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.

When: The myth of being able to detect every breach, insider threat or lateral movement has been punctured. Security teams are realizing they need to prepare themselves for “when” they will be breached, rather than “if.”

Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.

Sources:

HTTP/2 (Wikipedia)

Usage of HTTP/2 for websites

HTTPS (Wikipedia)

Firefox, Chrome start calling HTTP connections insecure

Alert (TA17-075A) HTTPS Interception Weakens TLS Security

Blockchain

Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead

Selainlouhinta

Cybersecurity Dangers Will Spike in 2018

We’re hitting rock bottom in cyber — let’s do something | TechCrunch

Virtual Security

Mirai-makers plead guilty, Hajime still lurks in shadows

DARPA Takes Chip Route to ‘Unhackable’ Computers

Another AI attack, this time against ‘black box’ machine learnings

GDPR Portal: Site Overview

General Data Protection Regulation (Wikipedia)

Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already

Miten GDPR pitää huomioida ohjelmistokehityksessä?

Seven Seas Cybersecurity: Captain, We Have a Problem

In the Words of President Ronald Reagan, “Trust but Verify”

Why You Should Question These Most Common Cloud Assumptions

It’s 2018. Do You Know Where Your Data Are?

Improved IoT Security Starts with Liability for Companies, Not Just Legislation

Smart Factory Connectivity for the Industrial IoT

The Race for a Universal IoT Security Standard

Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises

The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.

Resolve to Mitigate Your Business’ Digital Risk in 2018

Emerging Trends in Vulnerability Management

Research reveals customer-facing web and mobile apps as top security challenge

Open Source Vulnerabilities: Are You Prepared to Run the Race?

Device Security for the Industrial Internet of Things

GDPR and Open Source: Best Practices

Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC

ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good

Threat Modeling the Internet of Things: Modeling Reaper

Engineering for Privacy Requires Standards

How to Make Adversaries Work Harder, While We Work Smarter, in 2018

2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices

Facebook Releases New Certificate Transparency Tools

iWelcome and digi.me Launch Kantara Initiative Consent Management Solutions Work Group

Open Source Vulnerabilities: Are You Prepared to Run the Race?

U.S. Military to Send Cyber Soldiers to the Battlefield

Machine Learning & Security: Making Users Part of the Equation

Security is Not a Technology Profession

State of IPv6 Deployment 2017

Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018

 


 

 

636 Comments

  1. Tomi Engdahl says:

    10 Ways to Lose That Security Sale
    https://www.securityweek.com/10-ways-lose-security-sale

    There are few things in life more dissimilar than security practitioners and the salespeople that sell to them. The interaction between these two groups in a professional setting often creates some pretty interesting situations.

    present: “10 ways to lose that security sale”.

    1. Be my fake buddy: Security practitioners may not be the most extroverted people in the world, but we generally have a pretty good sense for sincerity.

    2. Over-selling: Tell me what your product does, what problem of mine it solves, and why it’s the right choice for my organization.

    3. FUD: Fear, uncertainty, and doubt (FUD) is one of the biggest issues plaguing the security industry. Too many vendors use the same fear-driven, sky is falling approach to security sales and marketing. It might get some press or even the ear of a few, but by and large, it doesn’t resonate in the least with your target audience. Leave the FUD at the door when you come visit me.

    4. Hype and buzz: Let’s do a little test. At this year’s RSA conference, who wants to tally up how many vendors tout their capability around “machine learning”, “artificial intelligence”, “analytics”, “blockchain”, or a number of other buzzwords.

    5. Inducing an allergic reaction: If you’ve ever seen someone have an allergic reaction to something, it can be rather unpleasant and very scary to say the least. I’ve been in far too many sales meetings where I feel like the room is on the verge of this. Security practitioners have buzzwords and marketing claims hurled at them all day, every day. To the point where many are more or less “allergic” to them. Inducing an allergic reaction won’t help close the deal. Best to stick to a substantive discussion.

    6. Attaching to the “item du jour”: Some salespeople like to attach themselves to the “item du jour” (e.g., ransomware) when positioning their product or making their pitch. There are two main problems with this approach. First, while I need to understand what your product does and where it fits within the ecosystem, chances are that I have multiple different use cases I would like to apply it to. Second, today’s crisis will lose its luster at some point, and I need to know that the solution I am buying has broad applicability across multiple different situations that I may encounter.

    7. Being an ambulance chaser: Don’t you love it when salespeople contact you immediately after your organization or one of your peer organizations has been in the news because of some security related incident? Of course not. Coming in with a pitch like “if you had our product deployed, you would have been 100% protected” won’t win you any friends.

    8. Keep talking: If you don’t leave any room in the conversation for others, how can you expect to understand what your audience finds value in, what they are most interested in, and how you might be able to help them?

    9. Become combative: If I disagree with the points you are making or don’t believe that your product is a fit for my environment, nothing turns me off more than when you become combative.

    10. FoMO: Fear of missing out can be a powerful psychological force. As security professionals, we feel enough FoMO as it is. A salesperson that comes in trying to convince me that if I don’t go with their product, I am simply missing the boat isn’t what I need. For sure there are some who may take the FoMO bait, but most security practitioners I know won’t.

    Reply
  2. Tomi Engdahl says:

    BGP Flaws Patched in Quagga Routing Software
    https://www.securityweek.com/bgp-flaws-patched-quagga-routing-software

    Several vulnerabilities that could lead to denial-of-service (DoS), information disclosure, and remote code execution have been patched this week in the Quagga routing software suite.

    Quagga implements the Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) and Intermediate System to Intermediate System (IS-IS) protocols for Unix-like platforms, particularly Linux, Solaris, FreeBSD and NetBSD.

    Reply
  3. Tomi Engdahl says:

    Cloudflare is protecting the internet using groovy lava lamps
    https://techcrunch.com/2018/02/16/cloudflare-is-protecting-the-internet-using-groovy-lava-lamps/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Cloudflare has a unique way of protecting a huge portion of the world’s internet. They call it their Wall of Entropy; a wall lined with lava lamps that are being filmed with a camera. That data is then converted to numbers jumbled up with a couple other sources of randomness in other parts of the world, like a Geiger counter and a chaotic pendulum, and is then fed into an algorithm with a variety of other sources to create some really intense cryptography.

    Reply
  4. Tomi Engdahl says:

    Sqreen wants to become the IFTTT of web app security
    https://techcrunch.com/2018/02/17/sqreen-wants-to-become-the-ifttt-of-web-app-security/?utm_source=tcfbpage&sr_share=facebook

    Big companies have dedicated security teams that protect services, try to run attacks to find weaknesses and more. Smaller companies don’t necessarily have enough time and money to build a dedicated team. But your product is still vulnerable to SQL injections, XSS attacks and brute-force attacks.

    Sqreen isn’t a firewall. You just have to install a library package on your server and add a couple of lines at the top your source code to require the Sqreen module in your application.

    Once this is done, Sqreen monitors attacks in real time without a big performance hit — the startup says there’s a 4 percent CPU overhead. Sqreen now works for web apps in Node.js, Ruby, PHP, Python or Java.

    In addition to protecting you against common attacks, Sqreen makes security recommendations so that you can regularly fix vulnerabilities. And with GDPR coming soon, tech companies have a greater responsibility when it comes to protecting customer data and disclosing hacks.

    Reply
  5. Tomi Engdahl says:

    New Quantum Crypto Scheme Looks Ahead to “Quantum Internet”
    https://spectrum.ieee.org/tech-talk/computing/hardware/multiplexed-quantum-crypto-standard-looks-ahead-to-quantum-internet-age

    Chinese researchers have put forward a new quantum cryptography standard that could, if confirmed, substantially increase the speed of encrypted messages. The proposed new standard has been simulated on computers although not yet tested in the lab.

    Quantum cryptography, the next-generation of secret messages whose secrecy is guaranteed by the laws of quantum mechanics, has been in the news recently. Last fall a group from the Chinese Academy of Sciences transmitted quantum cryptographically encoded communications (via satellite) to a ground station in Vienna, Austria.

    Reply
  6. Tomi Engdahl says:

    Protect your site from Cryptojacking with CSP + SRI
    https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/

    What happened
    I had a friend of mine get in touch about his AV program throwing a warning when visiting the ICO website. The ICO bill themselves as:

    The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

    They’re the people we complain to when companies do bad things with our data. It was pretty alarming to realise that they were running a crypto miner on their site, their whole site, every single page.

    The weak link
    If you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the 1 website that they all load content from. In this case it turned out that Text Help, an assistive technology provider, had been compromised

    Preventing these attacks
    This is not a particularly new attack and we’ve known for a long time that CDNs or other hosted assets are a prime target to compromise a single target and then infect potentially many thousands of websites. The thing is though, there’s a pretty easy way to defend yourself against this attack.

    With that tiny change to how the script is loaded, this attack would have been completely neutralised. What I’ve done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page. To take this one step further and ensure absolute protection, you can use Content Security Policy and the require-sri-for directive to make sure that no script is allowed to load on the page without an SRI integrity attribute.

    Reply
  7. Tomi Engdahl says:

    Chef InSpec 2.0 helps automate security compliance in cloud apps
    https://techcrunch.com/2018/02/20/chef-inspec-2-0-wants-to-help-companies-automate-security-compliance-in-cloud-apps/?utm_source=tcfbpage&sr_share=facebook

    Chef InSpec 2.0 helps automate security compliance in cloud apps
    Posted Feb 20, 2018 by Ron Miller (@ron_miller)

    How many times do you hear about a company exposing sensitive data because they forgot to lock down a data repository on Amazon? It happens surprisingly often. Chef wants to help developers and operations teams prevent that kind of incident. Today, the company released InSpec 2.0, which is designed to help automate applications security and compliance in the cloud.

    InSpec is a free open source tool that enables development teams to express security and compliance rules as code. Version 1.0 was about ensuring that applications were set up properly. The new version extends this capability to the cloud

    . It supports AWS and Azure and comes with 30 common configurations out of the box including Docker, IIS, NGINX and PostgreSQL.

    Companies running multiple applications across multiple clouds face challenges in today’s continuous development environment. It’s actually fairly easy to leave that database exposed when it’s up to humans to continuously monitor if it’s in compliance or not.

    Reply
  8. Tomi Engdahl says:

    Poor cloud security let hackers mine cryptocurrency on Tesla’s dime
    https://techcrunch.com/2018/02/20/poor-cloud-security-let-hackers-mine-cryptocurrency-on-teslas-dime/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    The strange new breed of malicious cryptocurrency miners spares no one, it seems: Tesla is the latest to be struck by this trendy form of hackery. A poorly secured cloud computing setup let them waltz right in.

    It’s only the latest example of several detected by cloud security outfit RedLock, which has tracked a series of Kubernetes admin consoles wide open to anyone looking. Not even password-protected.

    If RedLock could find them, so could hackers — and they did.

    Reply
  9. Tomi Engdahl says:

    France Proposes Software Security Liability For Manufacturers, Open Source As Support Ends
    https://hackaday.com/2018/02/22/france-proposes-software-security-liability-for-manufacturers-open-source-as-support-ends/

    It sometimes seems as though barely a week can go by without yet another major software-related hardware vulnerability story. As manufacturers grapple with the demands of no longer building simple appliances but instead supplying them containing software that may expose itself to the world over the Internet, we see devices shipped with insecure firmware and little care for its support or updating after the sale.

    The French government have a proposal to address this problem that may be of interest to our community, to make manufacturers liable for the security of a product while it is on the market, and with the possibility of requiring its software to be made open-source at end-of-life. In the first instance it can only be a good thing for device security to be put at the top of a manufacturer’s agenda, and in the second the ready availability of source code would present reverse engineers with a bonanza.

    It’s worth making the point that this is a strategy document, what it contains are only proposals and not laws

    Highlights of the French cybersecurity strategy
    https://blog.lukaszolejnik.com/highlights-of-french-cybersecurity-strategy/

    Reply
  10. Tomi Engdahl says:

    Louise Matsakis / Wired:
    Facebook’s mandatory anti-malware scan for flagged devices lacks transparency in how scanned data is used and has locked out an undisclosed number of users

    Facebook’s Mandatory Malware Scan Is an Intrusive Mess
    https://www.wired.com/story/facebook-mandatory-malware-scan

    When an Oregon science fiction writer named Charity tried to log onto Facebook on February 11, she found herself completely locked out of her account. A message appeared saying she needed to download Facebook’s malware scanner if she wanted to get back in. Charity couldn’t use Facebook until she completed the scan, but the file the company provided was for a Windows device—Charity uses a Mac.

    “I could not actually run the software they were demanding I download and use,” she says. When she tried instead to log in from her computer at work, Facebook greeted her with the same roadblock. “Obviously there is no way for Facebook to know if my device is infected with anything, since this same message appeared on any computer I tried to access my account from,” says Charity.

    The internet is full of Facebook users frustrated with how the company handles malware threats. For nearly four years, people have complained about Facebook’s anti-malware scan on forums, Twitter, Reddit, and on personal blogs. The problems appear to have gotten worse recently.

    The malware scans likely only impact a relatively small population of Facebook’s billions of users, some of whose computers may genuinely be infected. But even a fraction of Facebook’s users still potentially means millions of impacted people. The mandatory scan has caused widespread confusion and frustration

    ‘I could not actually run the software they were demanding I download and use.’
    Charity, Facebook User

    But if Facebook doesn’t know for sure, why would it push you to clean your device? Antivirus software is a powerful tool, capable of accessing nearly everything on your computer. Some users might reasonably not want to give Facebook and its chosen cybersecurity partners that level of access. Antivirus and anti-malware software are also prone to vulnerabilities themselves

    Facebook also doesn’t appear to have regularly updated its users about which partners it relies on to supply its malware scans.

    Facebook stopped working with Kaspersky last year, following reports that Russia exploited the company’s antivirus software to trawl US government systems for classified data. F-Secure says it also stopped working with Facebook last year

    Both ESET and Trend Micro say that they continue to work with Facebook, but stressed that they had no control over how the social network handles its scanning feature.

    Even with legitimate software partners, though, Facebook’s malware-scanner notification could encourage unsafe behavior elsewhere on the web. It “will possibly train users to accept or install fake antivirus products, most of which are ransomware,”

    Facebook also hasn’t provided information about how it uses the data it gleams from its cybersecurity partners that conduct the malware scans. “What does Facebook collect from their antivirus partners?”

    Facebook has legitimate reason to want to keep malware off its service. Scammers, hackers, and even would-be cryptocurrency miners have all targeted Facebook and Facebook Messenger. But if Facebook keeps forcing its malware scans on its users, it has to commit to more transparency as well.

    Reply
  11. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Researchers say some security certificates are being sold and registered using stolen corporate identities, making traditional network security less effective

    One-stop counterfeit certificate shops for all your malware-signing needs
    Certificates registered in names of real corporations are surprisingly easy to come by.
    https://arstechnica.com/information-technology/2018/02/counterfeit-certificates-sold-online-make-digitally-signed-malware-a-snap/

    “Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious
    campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective,” Andrei Barysevich, a researcher at Recorded Future, reported.

    Barysevich identified four such sellers of counterfeit certificates since 2011. Two of them remain in business today. The sellers offered a variety of options

    “In his advertisement, C@T explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec—the largest and most respected issuers,” Thursday’s report said. “The seller indicated that each certificate is unique and will only be assigned to a single buyer, which could be easily verified via HerdProtect.com. According to C@T, the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 certificates in less than six months.”

    C@T’s business dwindled in coming years as other providers undercut his prices. One competing service provided a bare-bones code-signing certificate for $299. For $1,599, the service sold a signing certificate with extended validation—meaning it was issued to a corporate or business name that had been verified by the issuer.

    “According to the information provided by both sellers during a private conversation, to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations,” Barysevich wrote.

    Use of legitimate signing certificates to verify malicious apps and legitimate TLS certificates to authenticate domain names that distribute those apps can make security protections less effective. Recorded Future researchers provided one seller with an unreported remote access trojan and convinced the seller to sign it with a certificate that had been recently issued by Comodo. Only eight of the top AV providers detected an encrypted version of the trojan. Only two AV engines detected the same encrypted file when it was signed by the Comodo certificate.

    “Although code signing certificates can be effectively used in widespread malware campaigns such as the distribution of banking trojan or ransomware, the validity of the certificate used to sign a payload would be invalidated fairly quickly,”

    Reply
  12. Tomi Engdahl says:

    Phil Muncaster / Infosecurity Magazine:
    Akamai: 43% of 17B login requests tracked via Akamai platform in November and December involved credential abuse, with bots using stolen login credentials

    Bot-Driven Credential Stuffing Hits New Heights
    https://www.infosecurity-magazine.com/news/botdriven-credential-stuffing-hits

    More than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks, according to the latest report from Akamai.

    The cloud delivery provider’s latest State of the Internet/Security report for Q4 2017 comprised analysis from over 7.3 trillion bot requests per month.

    It claimed that such requests account for over 30% of all web traffic across its platform per day, excluding video streaming. However, malicious activity has seen a sharp increase, as cyber-criminals look to switch botnets from DDoS attacks to using stolen credentials to try to access online accounts.

    Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse. The figure rose to a staggering 82% for the hospitality industry.

    Reply
  13. Tomi Engdahl says:

    Kim Zetter / New York Times:
    How “hacker-proof” voting machines that are not always connected to the internet can still be hacked whenever they do connect via internal modems

    The Myth of the Hacker-Proof Voting Machine
    https://www.nytimes.com/2018/02/21/magazine/the-myth-of-the-hacker-proof-voting-machine.html

    In 2011, the election board in Pennsylvania’s Venango County — a largely rural county in the northwest part of the state — asked David A. Eckhardt, a computer science professor at Carnegie Mellon University, to examine its voting systems. In municipal and state primaries that year, a few voters had reported problems with machines ‘‘flipping’’ votes

    Eckhardt and his colleagues concluded that the problem with the machines, made by Election Systems & Software (ES&S), was likely a simple calibration error. But the experts were alarmed by something else they discovered. Examining the election-management computer at the county’s office — the machine used to tally official election results and, in many counties, to program voting machines — they found that remote-access software had been installed on it.

    Remote-access software is a type of program that system administrators use to access and control computers remotely over the internet or over an organization’s internal network. Election systems are supposed to be air-gapped — disconnected from the internet and from other machines that might be connected to the internet. The presence of the software suggested this wasn’t the case with the Venango machine, which made the system vulnerable to hackers. Anyone who gained remote access to the system could use the software to take control of the machine. Logs showed the software was installed two years earlier and used multiple times, most notably for 80 minutes on November 1, 2010, the night before a federal election.

    The software, it turns out, was being used not by a hacker but by an authorized county contractor working from home. Still, the arrangement meant anyone who might gain control of the contractor’s home computer could use it to access and gain control of the county’s election system.

    It was just another example of something that Eckhardt and other experts had suspected for many years: that many critical election systems in the United States are poorly secured and protected against malicious attacks.

    Reply
  14. Tomi Engdahl says:

    Feds have spent 13 years failing to verify whether passport data is legit
    https://arstechnica.com/tech-policy/2018/02/border-agents-have-no-idea-if-data-held-on-e-passports-is-authentic/

    Data is read off e-passports, but CBP lacks software to verify digital signatures.

    For over a decade, Customs and Border Protection has failed to properly verify e-passports (which contain biometric data) as “it lacked the software to do so,” according to a new letter sent by two top senators.

    Reply
  15. Tomi Engdahl says:

    Veil is private browsing for the ultra-paranoid
    https://techcrunch.com/2018/02/23/veil-is-private-browsing-for-the-ultra-paranoid/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    If you’re worried about someone finding out what you’re pointing your browser at, there are plenty of options for keeping it secret, with varying levels of difficulty and effectiveness. Veil takes things further than perhaps any other anonymous browsing method by masking the page you’re viewing not just from would-be attackers, but from your own operating system.

    You enter the URL into the site and the page is retrieved for you from the special servers, encrypted in transit and in your browser cache, and only decrypted for your viewing. Links and URLs are themselves encrypted so they can’t be linked to the content requested.

    Reply
  16. Tomi Engdahl says:

    Container security fundamentals: 5 things to know
    https://enterprisersproject.com/article/2018/2/container-security-fundamentals-5-things-know?sc_cid=7016000000127ECAAY

    Can you articulate the core facts about container security – even to skeptics inside your organization? Here are 5 key points

    1. Container security is multi-level
    2. Limit dependencies to limit risk
    3. Reassess existing security practices and tools
    4. Automation plays a security role
    5. Containers help you react to emerging issues

    Reply
  17. Tomi Engdahl says:

    Systems Bits: Feb. 27
    AI alarm sounded; systems engineering inspiration; autonomous vehicle tradeoffs.
    https://semiengineering.com/systems-bits-feb-27/

    Prepare to prevent malicious AI use
    According to the University of Cambridge, 26 experts on the security implications of emerging technologies have jointly authored a ground-breaking report thereby sounding the alarm about the potential malicious use of artificial intelligence (AI) by rogue states, criminals, and terrorists.

    The report forecasts rapid growth in cyber-crime and the misuse of drones during the next decade as well as an unprecedented rise in the use of ‘bots’ to manipulate everything from elections to the news agenda and social media. This adds up to a clarion call for governments and corporations worldwide to address the clear and present danger inherent in the myriad applications of AI, they said.

    The report – The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation – also insists on interventions to mitigate the threats posed by the malicious use of AI. Specifically, policy-makers and technical researchers need to work together now to understand and prepare for the malicious use of AI.

    They acknowledge that AI has many positive applications, but it is a dual-use technology and AI researchers and engineers should be mindful of and proactive about the potential for its misuse.

    The 100-page report identifies three security domains (digital, physical, and political security) as particularly relevant to the malicious use of AI. It suggests that AI will disrupt the trade-off between scale and efficiency and allow large-scale, finely targeted and highly efficient attacks.

    Reply
  18. Tomi Engdahl says:

    12 bad enterprise security habits to break
    https://enterprisersproject.com/article/2018/2/12-bad-enterprise-security-habits-break?sc_cid=7016000000127ECAAY

    Taking shortcuts on security can compromise the enterprise. Break these bad practices before they become big problems in 2018

    Reply
  19. Tomi Engdahl says:

    Samsung Smartphones Get Encrypted Communications
    https://www.securityweek.com/samsung-smartphones-get-encrypted-communications

    KoolSpan this week announced a partnership with Samsung to implement secure communications on Samsung smartphones.

    KoolSpan, a provider of encrypted secure voice and messaging solutions for mobiles, is already offering secure communications to enterprises. With support for mainstream phones, which are normally used within organizations, the solutions bring end-to-end encryption to all internal calls and texts within a company.

    The end result of the partnership between KoolSpan and Samsung is TrustCall Native for Samsung, which provides native dialer integration on Samsung devices and which is being demonstrated at the Mobile World Congress in Barcelona.

    Reply
  20. Tomi Engdahl says:

    Widespread Vulnerability Found in Single-Sign-On Products
    https://www.securityweek.com/widespread-vulnerability-found-single-sign-products

    A behavioral quirk in SAML libraries has left many single-sign-on (SSO) implementations vulnerable to abuse. It allows an attacker that has gained any authenticated access to trick the system into granting further access as a different user without knowledge of that user’s password.

    Security Assertion Markup Language (SAML) is the underlying protocol used by most SSO implementations. It is what allows authentication to be passed between a company’s identity store and, for example, a third-party service. Typically, a user will log onto the identity store. This contains the credentials that will allow the same user to access other services.

    SAML is used to pass authentication, via the browser, from the identity provider to the third-party service, granting access. The flaw lies in how authentication is encoded by SAML in the provider’s ‘response’.

    Different affected SSOs will have different specific recommendations, and it would be best to refer to them for guidance. Similarly, there are different recommendations for maintainers of identity or service providers, maintainers of SAML processing libraries, and maintainers of XML parsing libraries. One thing that would help, suggest the authors, is the ability to enforce multi-factor authentication, “because this vulnerability would only allow a bypass of a user’s first factor of authentication.” But the authors also warn, “if your IdP is responsible for both first factor and second factor authentication, it’s likely that this vulnerability bypasses both!”

    Duo Labs / Feb 27, 2018
    Duo Finds SAML Vulnerabilities Affecting Multiple Implementations
    https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

    Reply
  21. Tomi Engdahl says:

    Fortinet Enhances Network Security OS, Adds AI-based Threat Detection
    https://www.securityweek.com/fortinet-enhances-network-security-os-adds-ai-based-threat-detection

    Two major new product announcements were made at Fortinet’s Accelerate 18 conference this week, including a new machine learning (ML) threat intelligence and detection offering, along with a major upgrade to the Fortinet Security Fabric (FortiOS).

    Accelerate 18, held in Las Vegas, Nevada, is Fortinet’s annual global partner and user conference, attended by around 2,000 Fortinet partners, customers, and industry and technical experts.

    The new ML product is called FortiGuard AI. It emerges from five years of analyses by FortiGuard Labs’ 215 researchers in 31 countries analyzing the threat data from a global network of more than 3 million security sensors. The analyses have been used, employing supervised learning techniques, to train the FortiGuard AI automatic detection engine.

    Fortinet LogoMachine learning threat detection is currently the best option for detecting new and unknown malware. But the accuracy of machine learning detection systems depends on the volume and accuracy of the data from which it learns.

    Fortinet has also announced version 6 of its Security Fabric. “FortiOS 6.0,” says founder, president and CTO Michael Xie, “delivers hundreds of new features and capabilities that were designed to provide the broad visibility, integrated threat intelligence and automated response required for digital business.”

    The Security Fabric is based on the world’s most deployed network security operating system. It was launched in 2016 to allow different segments of network security to integrate seamlessly and to cooperate actively under the management of a central control. FortiOS 6.0 is expected to be available before the end of March 2018.

    Reply
  22. Tomi Engdahl says:

    Konark Modi:
    A look at airlines’ weak data security practices, including sharing booking data with third-party trackers

    How Airlines don’t care about your privacy: Case Study Emirates.com
    https://medium.com/@konarkmodi/how-airlines-dont-care-about-your-privacy-case-study-emirates-com-6271b3b8474b

    I asked my wife if it is alright if her Date of Birth is known to a stranger. Only if they send me a birthday gift, she joked. What about your passport number? She lowered the book she was reading. I now had her attention.

    Now imagine this, I said “You try to check-in for your flight online, and see the error message — This booking does not exist. You try again, this surely is a mistake. Nope, still the same error message. The call center person repeats the same words. This has to be a mistake! You check your email, and there it is — staring back at you — email confirmation of cancellation. But you are sure you didn’t do it.” Whodunnit?

    This is not a far-fetched scenario from a Sci-fi book, this really happened.

    An organisation with a primary Digital Product that lacks even the basic data security practices is living in a utopian world where people leave their safe open and never expect a burglar to walk in.

    I stumbled across a few data-security practices that, as a Data Security advocate, made me extremely worried. When I voiced my concerns to Emirates team, this conversation took place

    For a layman, when you book your flight through Emirates, Domestic or International, there are approximately 300 data points related to your booking.

    The moment you click on manage preferences to select a seat or meal for your trip or to Check-in to your flight, your Booking ID and Last name is passed on to approximately 14 different third-party trackers like Crazy egg, Boxever, Coremetrics, Google, and Facebook among others.

    After I completed the booking on Emirates, I received an e-mail confirmation titled: Booking Confirmation — Booking Number.

    While Manage Booking link was supposed to be exclusive to me (the user and the website), this link was also shared with numerous third party trackers implemented by Emirates on their webpages.

    The cherry on the cake was the HTTP link that leads to the Manage Preferences page.

    So, not only was Emirates passing on user information to the self-implemented third party trackers, but also allowing network adversaries to have access to the supposedly “Private” page.

    I decided to take a peek into the mobile app and see if the past catches up with the present, and lo and behold there it was in its full glory — Passport Number, Email ID and Telephone number in plain text. What was obfuscated on the web app was easy to access on the mobile app.

    Now, what is wrong with this?

    This issue is not only limited to Emirates, a lot of airlines like Lufthansa, KLM (last checked on October 2017) suffer from the same issues.

    Every website uses third party trackers for improving their product and provide better web-usage experience. Data leaks are often considered collateral-damage and sometimes not even considered at all while implementation of such trackers.

    Most of these third-parties are present on a lot of other websites and use long term identifiers like cookies etc to track users across domains. Now because one of the websites, in this case Emirates, leaks private information, these companies now potentially can not only link the user’s activity across web, but also identify who the user is.

    Reporting it to Emirates:

    In the wake of responsible behaviour, on discovering these serious security flaws that violate user-data privacy, I decided to flag them to Emirates through Twitter DM in October 2017. Please note that I could not find a dedicated channel for reporting security bugs on Emirates website.

    The Social Media Team immediately responded to my Twitter DM with a canned response

    I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence.

    The privacy policy of Emirates itself is not very clear. It does mention some of the of these services, but not all or the what data being shared with them.

    It is not the usage of third party services that is of concern here in this case but the implementation of these services. Emirates has the control of their website and what the website shares with third party services. It is this control that needs to be exercised to limit the leakage of User information.

    Reply
  23. Tomi Engdahl says:

    If you are interested in reading more about the presence of trackers on your favourite websites, I highly recommend checking out WhoTracksMe.

    Learn about tracking technologies, market structure and data-sharing on the web
    https://whotracks.me/

    Reply
  24. Tomi Engdahl says:

    Frank Hersey / TechNode:
    76.3% of Chinese respondents believe AI is a threat to privacy in an 8,000 person survey carried out by state-run TV network CCTV and Tencent Research

    Almost 80% of Chinese concerned about AI threat to privacy, 32% already feel a threat to their work
    http://technode.com/2018/03/02/almost-80-chinese-concerned-ai-threat-privacy-32-already-feel-threat-work/

    AI is a threat to privacy—this is how 76.3% of Chinese people feel about artificial intelligence technology according to a survey of 8,000 participants carried out by CCTV and Tencent Research. Facial recognition was the usage of AI for which respondents had the highest awareness, and over half felt AI was already having an impact on their work and life.

    The survey also revealed a high awareness of AI among the population.

    Reply
  25. Tomi Engdahl says:

    Motherboard:
    Researchers say IOTA, a cryptocurrency project with $5B+ market cap, has major security flaws; IOTA developers try to deflect claim with questionable responses

    A $5 Billion Cryptocurrency Has Enraged Cryptographers
    https://motherboard.vice.com/en_us/article/ywq44k/a-5-billion-cryptocurrency-iota-has-enraged-cryptographers-leaked-emails

    Leaked emails between IOTA developers and researchers have landed the cryptocurrency in hot water.

    Reply
  26. Tomi Engdahl says:

    It’s begun: ‘First’ IPv6 denial-of-service attack puts IT bods on notice
    Internet engineers warn this is only the beginning
    https://www.theregister.co.uk/2018/03/03/ipv6_ddos/

    What’s claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption.

    Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar’s SiteProtect DDoS protection service when he realized there were “packets coming from IPv6 addresses to an IPv6 host.”

    The attack wasn’t huge – unlike this week’s record-breaking 1.35Tbps attack on GitHub – and it wasn’t using a method that is exclusive to IPv6, but it was sufficiently unusual and worrying to flag to the rest of his team.

    Computers behind 1,900 IPv6 addresses were attacking the DNS server as part of a larger army of commandeered systems, mostly using IPv4 addresses on the public internet. Anyone running an IPv6 network needs to, therefore, ensure they have the same level of network security and mitigation tools in place as their IPv4 networks – and fast.

    “The risk is that if you don’t have IPv6 as part of your threat model, you could get blindsided,”

    Reply
  27. Tomi Engdahl says:

    The 3 Biggest Malware Trends to Watch in 2018
    https://www.securityweek.com/3-biggest-malware-trends-watch-2018

    1. More attacks are going “clickless,” bypassing user interaction altogether
    2. Attackers are increasingly evading detection by “living off the land”
    3. “Plug-and-play” worming components are on the rise

    The bottom line is this: As the threat landscape shifts, so too must protections. The only truly effective means of defending against rapidly evolving attacks is to deploy solutions that can recognize common behaviors and elements that continue to be reused, and that will evolve along with them. Protection needs to automatically learn about new threats, and must enhance the protection they provide in real-time. By adopting tools that leverage machine learning and prioritizing prevention over recovery, we can get — and stay — one step ahead.

    Reply
  28. Tomi Engdahl says:

    To Stop Phishing, Understand the Long Tail of Risk
    https://www.securityweek.com/stop-phishing-understand-long-tail-risk

    The Long Tail of Security Risk

    Quantifying the cost of a specific or typical security incident is reasonably straightforward. There are many surveys and relevant anecdotes to be found, so it’s easy to have a common scenario in mind when making decisions on business security. But this path fails to take into account the full range of outcomes, and especially the “long tail” of security risk, which is the part of the risk curve that contains the small probabilities of rarer but really big events, even catastrophic ones. If you cut off the full run of the probability curve and fail to take into account events which may be low probability, but have a significant (or disastrous) impact, you’ll underestimate your risks, probably be inadequately protected, and your business may pay a serious price.

    More “Business Thinking” On Security Needed

    Better Frameworks and Fuller Analysis

    $260,000 Median Loss

    But the best part here is the analysis around probability and outcomes. He is then able to put very specific numbers on annualized risk and calculate ROI on incremental anti-phishing investments. His model tells us that the median annual impact of phishing attacks for a business is about $260,000 for a business with 1,000 users and a data breach of 100,000 records. And when it comes to the long tail, to pick a specific point on the curve, his model shows a 10 percent likelihood that phishing attacks will cost a company with that profile more than $10 million, and that an incremental investment in advanced email and web security reduces the potentially catastrophic long tail risk by 9.3x.

    Reply
  29. Tomi Engdahl says:

    Thorough and Consistent Post-Incident Activity Strengthens Security Posture
    https://www.securityweek.com/thorough-and-consistent-post-incident-activity-strengthens-security-posture

    On that note, here are five actions that you should not overlook during post-incident activity.

    1. Conduct Root Cause Analysis. Surface-level remediation stops at the “what” – you find the threat, contain it, and eradicate it. Conducting root cause analysis helps you get to the “why”, and it is often overlooked

    2. Use Metrics to Improve Procedures. If you’re using a strong IR platform to coordinate your response, then you should have access to lots of metrics related to your performance.

    3. Decide What Evidence to Retain and for How Long. In the second article in this series, I touched on the importance of evidence collection.

    4. Self-Assessment. Everyone knows that it’s a good idea to have a “lessons learned” meeting to assess IR performance, but NIST guidelines also suggest asking team members to assess their own performance, as well as getting input from the owners of the resource that was targeted in the incident.

    5. Properly Implementing Changes to Existing Policies Based on Lessons Learned. As I said in the intro, post-incident activities fail from a lack of follow-through, not a lack of understanding. So, my final recommendation is to simply ensure that the lessons you learn are implemented into your policies, procedures, and playbooks moving forward.

    Reply
  30. Tomi Engdahl says:

    World Economic Forum Announces New Fintech Cybersecurity Consortium
    https://www.securityweek.com/world-economic-forum-announces-new-fintech-cybersecurity-consortium

    Following the announcement of a new Global Centre for Cybersecurity, the World Economic Forum (WEF) has today launched a new fintech-focused initiative: WEF’s Fintech Cybersecurity Consortium. Its aim is to create a framework for the assessment of cybersecurity in financial technology firms and data aggregators.

    https://www.securityweek.com/world-economic-forum-announces-global-centre-cybersecurity

    Reply
  31. Tomi Engdahl says:

    Researchers Devise New Attacks Against 4G LTE Mobile Networks
    https://www.securityweek.com/researchers-devise-new-attacks-against-4g-lte-mobile-networks

    A team of researchers from Purdue University and the University of Iowa have discovered 10 new attacks against the 4G LTE protocol, which could allow adversaries snoop on messages, deny service, and even track the location of users.

    In a whitepaper (PDF), the team provides information on LTEInspector, the adversarial model-based testing approach they decided to adopt in this quest, and on the 10 new vulnerabilities they discovered in the protocol, alongside 9 previously known attacks.

    LTEInspector, the researchers explain, was designed to analyze three critical procedures in the 4G LTE network, namely attach, detach, and paging. Designed to be tool-agnostic, the new approach can be “instantiated through any generic symbolic model checker and cryptographic protocol verifier,” the researchers say.

    http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_02A-3_Hussain_paper.pdf

    Reply
  32. Tomi Engdahl says:

    FBI chief asks tech industry to build crytpo-busting not-a-backdoor
    ‘You guys can build anything if you put your mind to it’ is the gist of the argument
    https://www.theregister.co.uk/2018/03/08/fbi_director/

    FBI director Christopher Wray has addressed a cyber-security conference and again called for technologists to innovate their way around strong cryptography.

    All the FBI wants, he said, is for “law enforcement’s own lawful need to access data be taken just as seriously.”

    Wray told the conference he’s spent the last six months “catching up on all things cyber”, and that as a whole, the agency needs “more cyber and digital literacy in every program throughout the bureau”.

    Wray reiterated his complaint regarding FBI’s inability to access the content of nearly 7,800 phones in fiscal 2017, “more than half the devices we attempted to access in that timeframe”, is “a major public safety issue”.

    “This problem impacts our investigations across the board—human trafficking, counterterrorism, counterintelligence, gangs, organised crime, child exploitation, and cyber”, Wray said.

    Taking public safety seriously means having the private sector “respond to lawfully issued court orders, in a way that is consistent with both the rule of law and strong cybersecurity. We need to have both, and can have both.”

    Reply
  33. Tomi Engdahl says:

    IBM’s homomorphic encryption accelerated to run 75 times faster
    It lets you work on encrypted data without taking it to plaintext and back again
    https://www.theregister.co.uk/2018/03/08/ibm_faster_homomorphic_encryption/

    IBM has rewritten its C++ homomorphic encryption library and claims it now goes up to 75 times faster.

    Homomorphic encryption is a technique used to operate on encrypted data without decrypting it. This would make sensitive operations much more secure: for example, companies could encrypt their cloud-hosted databases, and work on them without converting records back to plaintext.

    IBM has worked on homomorphic encryption for some time, and released the first version of its HElib C++ library three years ago, but as we reported in 2016, the technology has always suffered huge performance penalties.

    IBM’s first attempts at homomorphic encryption, under the hand of its inventor Craig Gentry, ran “100 trillion times” slower than plaintext operations. It later accelerated by a factor of two million times, running on a 16-core server.

    Reply
  34. Tomi Engdahl says:

    McAfee Launches Security Platform for Azure Cloud
    https://www.securityweek.com/mcafee-launches-security-platform-azure-cloud

    Migrating to the cloud is complex. One of the biggest concerns is a loss of visibility on data in the cloud; and this concern only grows with increasing regulatory requirements. GDPR, coming into force in less than 3 months time, is a case in point.

    Cloud access security brokers (CASBs) can improve visibility and control, but aren’t necessarily tailored to a specific cloud. Today, McAfee announced the first product resulting from its purchase of Skyhigh Networks, finalized in January 2018: the McAfee Skyhigh Security Cloud for Azure.

    “Moving applications, data and workloads to the cloud exposes enterprises to new threats and risks,” explains Rajiv Gupta, SVP of McAfee’s cloud security business unit. “At the same time, the adoption of cloud allows organizations to transform their business. This is why we are on a mission to make cloud the most secure environment for business. The introduction of McAfee Cloud Security Platform for Microsoft Azure is an important step to fulfilling this mission for our customers.”

    The new product offers five particular use cases for Azure users: configuration and compliance audit, activity monitoring, threat protection, DLP, and account management.

    The configuration element detects misconfigurations in any Azure account. AWS S3 bucket misconfigurations have exposed millions of sensitive records in recent years, and in some cases left the accounts vulnerable to a MITM attack dubbed GhostWriter.

    Reply
  35. Tomi Engdahl says:

    Only Half of Those Who Paid a Ransomware Ransom Could Recover Their Data
    https://www.bleepingcomputer.com/news/security/only-half-of-those-who-paid-a-ransomware-ransom-could-recover-their-data/

    A massive survey of nearly 1,200 IT security practitioners and decision makers across 17 countries reveals that half the people who fell victim to ransomware infections last year were able to recover their files after paying the ransom demand.

    Timely backups are still the most efficient defense against possible ransomware infections, as it allows easy recovery.

    Reply
  36. Tomi Engdahl says:

    Cavalry riding to the rescue of DDOS-deluged memcached users
    Attacks tapering, as experts argue over ‘kill switch’
    https://www.theregister.co.uk/2018/03/12/memcached_cavalry_spotted_on_the_horizon/

    DDoS attacks taking advantage of ill-advised use of memcached have begun to decline, either because sysadmins are securing the process, or because people are using a potentially-troublesome “kill switch”.

    Memcached is a handy caching tool that can improve database performance but has no security controls because it was never intended to be used on internet-exposed systems. In late February attackers started to take advantage of the fact that memcached is a very effective amplifier of UDP messages, since a 15-byte query returns answers that could be hundreds of kilobytes. Attacks on the cache briefly gave GitHub the honour of the biggest ever DDoS attack at 1.7 Tbps, but within days a US service provider took an even bigger hosing.

    Corero said that there’s a kill-switch it was deploying for clients. The flush_all command does exactly what it says: the process drops all the objects in memory, and the attack ends.

    Cloudflare and Arbor Networks, warned eWeek they’re worried about the ethics and legality of someone firing flush_all at someone else’s machine, because changing the contents of a computer you don’t own is illegal in many or most jurisdictions.

    The attack volumes kept increasing for most of last week. Qihoo 360 last Wednesday said it had logged 10,000 attack events in the previous week, and identified 7,131 victim IP addresses.

    Those included Qihoo, Google, and Amazon, various smut sites, games, security vendors, various National Rifle Association sites, and Brian Krebs’ page.

    Reply
  37. Tomi Engdahl says:

    Developer mistakenly deleted data – so thoroughly nobody could pin it on him!
    Don’t ask your staff to write scripts at beer O’clock on Friday afternoon
    https://www.theregister.co.uk/2018/03/12/developer_mistakenly_deleted_data_so_thoroughly_nobody_could_pin_it_on_him/

    Reply
  38. Tomi Engdahl says:

    Mobile Malware Attacks Surged in 2017: Kaspersky
    https://www.securityweek.com/mobile-malware-attacks-surged-2017-kaspersky

    The number of mobile malware attacks detected in 2017 has increased to 42.7 million, according to a new report from Kaspersky Lab.

    The surge in attacks was in contradiction to evolution of detected mobile malicious installation packages, which amounted to 5,730,916 in 2017, almost 1.5 times lower than 2016.

    The number of attacked users, however, increased 1.2 times compared to the previous year. According to Kaspersky, they protected 4,909,900 unique users of Android devices from the beginning of January until the end of December 2017.

    The Moscow-based security firm also says that it detected 94,368 mobile banking Trojans in 2017, 1.3 times less than in the previous year. This type of malware attacked 259,828 users in 164 countries, with Russia, Australia, and Turkey being hit the most.

    Reply
  39. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Alleged NSA EternalBlue exploit, which leaked a year ago, has become a go-to tool for hackers because of its versatility and the many machines still unpatched

    The Leaked NSA Spy Tool That Hacked the World
    https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world

    An elite Russian hacking team, a historic ransomware attack, an espionage group in the Middle East, and countless small time cryptojackers all have one thing in common. Though their methods and objectives vary, they all lean on leaked NSA hacking tool EternalBlue to infiltrate target computers and spread malware across networks.

    Leaked to the public not quite a year ago, EternalBlue has joined a long line of reliable hacker favorites.

    The Conficker Windows worm infected millions of computers in 2008, and the Welchia remote code execution worm wreaked havoc 2003. EternalBlue is certainly continuing that tradition—and by all indications it’s not going anywhere.

    “When you take something that’s weaponized and a fully developed concept and make it publicly available you’re going to have that level of uptake,”

    The One That Got Away

    EternalBlue is the name of both a software vulnerability in Microsoft’s Windows operating system and an exploit the National Security Agency developed to weaponize the bug. In April 2017, the exploit leaked to the public, part of the fifth release of alleged NSA tools by the still mysterious group known as the Shadow Brokers. Unsurprisingly, the agency has never confirmed that it created EternalBlue, or anything else in the Shadow Brokers releases, but numerous reports corroborate its origin—and even Microsoft has publicly attributed its existence to the NSA.

    Reply
  40. Tomi Engdahl says:

    Blocking of Broadcom-Qualcomm Tie-up Highlights 5G Security Fears
    https://www.securityweek.com/blocking-broadcom-qualcomm-tie-highlights-5g-security-fears

    The unusual move by President Donald Trump blocking a proposed takeover of Qualcomm by Singapore-based chip rival Broadcom highlights growing concerns about the rise of Chinese competitors in the telecom sector and related national security issues.

    Trump issued an order Monday barring the proposed $117 billion acquisition, citing credible evidence such a deal “threatens to impair the national security of the United States.”

    Trump’s order made no mention of China, but an earlier letter from the US Treasury warned that a takeover might hurt US leadership in 5G, or fifth-generation wireless networks now being deployed, and consequently pose a threat to US security.

    “It’s a real threat,” said James Lewis, a former US national security official who is now vice president at the Center for Strategic and International Studies in Washington.

    “Every administration since 2002 has figured out we are vulnerable to Chinese espionage if they control the infrastructure. Qualcomm and to some degree Cisco are the last two that keep the US in the game when it comes to telecom, and we don’t want to lose them.”

    Reply
  41. Tomi Engdahl says:

    Usual Threats, But More Sophisticated and Faster: Report
    https://www.securityweek.com/usual-threats-more-sophisticated-and-faster-report

    Almost Every Type of Cyber Attack is Increasing in Both Volume and Sophistication

    Eight new malware samples were recorded every second during the final three months of 2017. The use of fileless attacks, primarily via PowerShell, grew; and there was a surge in cryptocurrency hijacking malware.

    These were the primary threats outlined in the latest McAfee Lab’s Threat Report (PDF) covering Q4 2017.

    The growth of cryptomining malware coincided with the surge in Bitcoin value, which peaked at just under $20,000 on Dec. 22. With the cost of dedicated mining hardware at upwards of $5,000 per machine, criminals chose to steal users’ CPU time via malware. It demonstrates how criminals always follow the money, and choose the least expensive method of acquiring it with the greatest chance of avoiding detection.

    Reply
  42. Tomi Engdahl says:

    My Friends, it’s True. The Times, They Are A’changin.’
    https://www.securityweek.com/my-friends-it%E2%80%99s-true-times-they-are-%E2%80%99changin%E2%80%99

    It’s time to wake up! The world around us is changing on a regular basis. Right now the types of technologies that we’re just starting to understand are already becoming outdated. Every year that passes, the pace of change accelerates.

    Opportunity knocks daily. It feels like every week, sometimes every day, we security professionals have an opportunity to influence the next big technology revolution. I think it’s safe to say that we’ve pretty much missed most of them, so far. We pontificate, belittle and ask, “Why would you do that?” But change happens.

    We must lead, follow or get out of the way. Many in security today still try to maintain they work for the department of “No.” Maybe you do, and maybe you can exert your power in some short-term way over a limited piece of your organization. But I promise you this: playing the “no” game is a losing proposition. I suggest you lead—meaning, get involved early and provide valuable guiding input. The alternative is following, which we’re all doing today and every day.

    It’s time for a stack rebuild. We’ve been dependent on a legacy technology stack in security for 20+ years. Perimeter security, on-the-wire intrusion detection and prevention, endpoint security, local identity directory and a million passwords. That stack is rapidly becoming decrepit and a hindrance to business. What does the next stack look like? I think a large hint to the future lies in the cloud. Cloud-native applications and services are inherently build with elasticity, scale, and resilience. Security should match these qualities breath for breath. I think the stack of tomorrow’s security future has to address the cloud head-on and be born in it. Identity, workload, applications, data—these are the relevant components that security will need to build the security stack around.

    Reply
  43. Tomi Engdahl says:

    Spend Less, Test Faster: Choosing the Right Security Tools
    https://www.securityweek.com/spend-less-test-faster-choosing-right-security-tools

    Not every security tool is right for every environment, and just because one set of tools works well for you now at one job and company doesn’t mean it will work well – or at all – if you change jobs or especially, verticals.

    It makes sense that each of these businesses would have different tools and different expectations for how to configure and use them. Still, it’d be tough to argue that both – regardless of infrastructure, technical capabilities or even, tolerance for risk – couldn’t benefit from the ability to test and deploy new tools in a more expeditious, cost-effective manner.

    A Better, Faster Way to Test New Tools

    Testing new technology can be a real drag. No doubt, different businesses face different problems at different times, but for every business, it’s important to weigh the opportunity cost of testing tools. In other words, how important is bringing on a new solution versus working on some other critical task?

    Just to try a new firewall, it’s not uncommon to have to involve your legal team for a non-disclosure agreement, your purchasing department for a zero-dollar purchase order, your network team to manually reconfigure servers and network devices … The list of those you need to involve is long and the process can be tedious, time-consuming and expensive.

    All Right, All Right, All Right

    Bill Belichick tells his players, “Do your job.” In short, trust your tools to do their specific jobs and don’t have them try to do another tool’s job. For instance, don’t have your firewalls decrypting SSL, which can significantly degrade their performance as per an NSS Labs report.

    Designed for specific purposes, security tools should be fed only the data they need to do what they do best; they shouldn’t be burdened with irrelevant data. For example, why send a web application firewall (WAF) anything besides web traffic? Or why send an intrusion prevention system (IPS) traffic that’s already been inspected in another zone? They need the right traffic, and the right traffic only – and that’s exactly what a security delivery platform can deliver.

    Reply
  44. Tomi Engdahl says:

    Klint Finley / Wired:
    ICANN’s proposal to comply with EU’s GDPR by restricting access to Whois information via an accreditation program faces criticism from privacy advocates, EFF

    Weighing Privacy vs. Security for the Internet’s Address Book
    https://www.wired.com/story/weighing-privacy-vs-security-for-the-internets-address-book

    If you head over to a Whois service and search for wired.com, you’ll see that this site is registered to our publisher Condé Nast at One World Trade Center in New York City. If you have your own domain name, you’ll find your name and home address on Whois, unless you pay for a proxy service to hide that information.

    New European privacy rules may change this—not just in Europe, but around the world. The European Union’s General Data Protection Regulation will take effect on May 25. The regulation forbids companies from sharing their European customers’ personal data without explicit permission, and gives customers the right to delete their data at any time. As a result, Whois entries may soon contain a lot less information.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*